Ulogdor

Where kernel devels meet users

Éric Leblond

OISF

Distro Recipes 2013

Éric Leblond (OISF) Ulogd Distro Recipes 2013 1 / 14

Some word about me

Eric LeblondFrenchPreviously, co-founder and CTO of EdenWall (RIP)Now, ContractorSuricata IDS/IPS developer@Regiteric on Twitter

regit@netfilter.orgNetfilter Coreteam MemberWorking on:

some kernel stufflibnetfilter_queue and userspace libraryulogd2 maintainer

Éric Leblond (OISF) Ulogd Distro Recipes 2013 2 / 14

Some word about me

Eric LeblondFrenchPreviously, co-founder and CTO of EdenWall (RIP)Now, ContractorSuricata IDS/IPS developer@Regiteric on Twitter

regit@netfilter.orgNetfilter Coreteam MemberWorking on:

some kernel stufflibnetfilter_queue and userspace libraryulogd2 maintainer

Éric Leblond (OISF) Ulogd Distro Recipes 2013 2 / 14

At the beginning was syslog

Pre Netfilter daysFlat packet loggingOne line per packet

A lot of informationNon searchable

Not sexyINPUT DROP IN=eth0 OUT= MAC=00:1a:92:05:ee:68:00:b0:8e:83:3b:f0:08:00 SRC=62.212.121.211 DST=91.121.73.151 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=35342 DF PROTO=TCP SPT=59261 DPT=113 WINDOW=5440 RES=0x00 SYN URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=37732 DF PROTO=TCP SPT=443 DPT=48875 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.23 DST=192.168.11.3 LEN=86 TOS=0x00 PREC=0x00 TTL=243 ID=33964 DF PROTO=TCP SPT=80 DPT=49617 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=62292 DF PROTO=TCP SPT=80 DPT=60462 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=22480 DF PROTO=TCP SPT=443 DPT=50876 WINDOW=0 RES=0x00 ACK RST URGP=0

Éric Leblond (OISF) Ulogd Distro Recipes 2013 3 / 14

At the beginning was syslog

Pre Netfilter daysFlat packet loggingOne line per packet

A lot of informationNon searchable

Not sexyINPUT DROP IN=eth0 OUT= MAC=00:1a:92:05:ee:68:00:b0:8e:83:3b:f0:08:00 SRC=62.212.121.211 DST=91.121.73.151 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=35342 DF PROTO=TCP SPT=59261 DPT=113 WINDOW=5440 RES=0x00 SYN URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=37732 DF PROTO=TCP SPT=443 DPT=48875 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.23 DST=192.168.11.3 LEN=86 TOS=0x00 PREC=0x00 TTL=243 ID=33964 DF PROTO=TCP SPT=80 DPT=49617 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=62292 DF PROTO=TCP SPT=80 DPT=60462 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=22480 DF PROTO=TCP SPT=443 DPT=50876 WINDOW=0 RES=0x00 ACK RST URGP=0

Éric Leblond (OISF) Ulogd Distro Recipes 2013 3 / 14

Ulogd days

ULOGNetfilter introduces ULOG targetiptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet"

Communication via a netlink socketSpecial type of socketused for kernel userspace bidirectionnal communication

Ulogd, a ULOG logging daemonSyslog and file outputSQL output: PGSQL, MySQL, SQLite

Éric Leblond (OISF) Ulogd Distro Recipes 2013 4 / 14

Ulogd days

ULOGNetfilter introduces ULOG targetiptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet"

Communication via a netlink socketSpecial type of socketused for kernel userspace bidirectionnal communication

Ulogd, a ULOG logging daemonSyslog and file outputSQL output: PGSQL, MySQL, SQLite

Éric Leblond (OISF) Ulogd Distro Recipes 2013 4 / 14

History

2.6.14 introduced new kernel-user interactionslibnetfilter_queue: userspace decisionlibnetfilter_log: logginglibnetfilter_conntrack: connection tracking handling

A long developmentStarted in 2005 by Harald WelteUlogd 2.0.0 beta1: 2006/01/09Ulogd 2.0.0: 2012/06/17Ulogd 2.0.2: 2013/03/03

Éric Leblond (OISF) Ulogd Distro Recipes 2013 5 / 14

History

2.6.14 introduced new kernel-user interactionslibnetfilter_queue: userspace decisionlibnetfilter_log: logginglibnetfilter_conntrack: connection tracking handling

A long developmentStarted in 2005 by Harald WelteUlogd 2.0.0 beta1: 2006/01/09Ulogd 2.0.0: 2012/06/17Ulogd 2.0.2: 2013/03/03

Éric Leblond (OISF) Ulogd Distro Recipes 2013 5 / 14

Ulogd2: an ulogd generalisation

Ulogd2Interact with the new librariesRewrite of ulogd

libnetfilter_log (generalized ulog)Packet loggingIPv6 readyFew structural modification

libnetfilter_conntrack (new)Connection tracking loggingAccounting, logging

libnetfilter_nfacct (added recently)High performance accountingÉric Leblond (OISF) Ulogd Distro Recipes 2013 6 / 14

Ulogd in distributions

Distribution Ulogd versionLinux Mint 1.24Ubuntu 1.24Fedora 2.0.0Debian GNU/Linux 1.24Debian testing 1.24openSUSE 2.0.1Arch Linux 2.0.1PCLinuxOS XCentOS XMageia XSlackware Linux X

Distribution list: http://distrowatch.com/dwres.php?resource=major

Éric Leblond (OISF) Ulogd Distro Recipes 2013 7 / 14

Let me in!!

Éric Leblond (OISF) Ulogd Distro Recipes 2013 8 / 14

State of dependencies

Distribution Ulogd libnfnetlink libmnl log conntrack acctUpstream 2.0.2 1.0.1 1.0.3 1.0.1 1.0.3 1.0.2Requirement 1.0.1 1.0.3 1.0.0 1.0.2 1.0.1Linux Mint 1.24 1.0.0 1.0.1 1.0.0 0.9.1 XUbuntu 1.24 1.0.0 1.0.3 1.0.0 1.0.1 XFedora 2.0.0 1.0.1 1.0.3 1.0.1 1.0.2 XDebian GNU/Linux 1.24 1.0.0 X 0.0.16 0.0.101 XDebian testing 1.24 1.0.0 1.0.3 1.0.0 1.0.1 XopenSUSE 2.0.1 1.0.1 1.0.3 1.0.1 1.0.2 1.0.1Arch Linux 2.0.1 1.0.1 1.0.3 1.0.1 1.0.3 1.0.2PCLinuxOS X X X X X XCentOS X X X X X XMageia X X 1.0.2 X X XSlackware Linux X X X X X X

Éric Leblond (OISF) Ulogd Distro Recipes 2013 9 / 14

Developper faults

Éric Leblond (OISF) Ulogd Distro Recipes 2013 10 / 14

Developper faults

Library policyUpgrade to latest because it has less bugUnconditional compilation

Work started in ulogd 2.0.2Patch proposed by gentoo maintainer.

Configuration upgradeIncompatible configuration fileIncompatible database schema

Lack of documentationFew user documentationUser don’t ask for itNetfilter should have a wiki soon

Éric Leblond (OISF) Ulogd Distro Recipes 2013 11 / 14

Developper faults

Library policyUpgrade to latest because it has less bugUnconditional compilation

Work started in ulogd 2.0.2Patch proposed by gentoo maintainer.

Configuration upgradeIncompatible configuration fileIncompatible database schema

Lack of documentationFew user documentationUser don’t ask for itNetfilter should have a wiki soon

Éric Leblond (OISF) Ulogd Distro Recipes 2013 11 / 14

Developper faults

Library policyUpgrade to latest because it has less bugUnconditional compilation

Work started in ulogd 2.0.2Patch proposed by gentoo maintainer.

Configuration upgradeIncompatible configuration fileIncompatible database schema

Lack of documentationFew user documentationUser don’t ask for itNetfilter should have a wiki soon

Éric Leblond (OISF) Ulogd Distro Recipes 2013 11 / 14

Distribution faults

Éric Leblond (OISF) Ulogd Distro Recipes 2013 12 / 14

Distribution faults

Some need to be boostedThey could propose alternative to the old ulogdNo move if upstream don’t move

Few but powerful usersLack of usersThe few one build applianceThey maintain their version

Éric Leblond (OISF) Ulogd Distro Recipes 2013 13 / 14

Distribution faults

Some need to be boostedThey could propose alternative to the old ulogdNo move if upstream don’t move

Few but powerful usersLack of usersThe few one build applianceThey maintain their version

Éric Leblond (OISF) Ulogd Distro Recipes 2013 13 / 14

Questions ?

ContactsDirectly: eric@regit.orgMailling List: netfilter-devel@vger.kernel.org

ReferencesUlogd2:http://netfilter.org/projects/ulogd/index.html

My blog: https://home.regit.org/

Éric Leblond (OISF) Ulogd Distro Recipes 2013 14 / 14